Is there a way to update a single AD object in the DirectControl cache? Adflush works but it has no granular control for large or complex AD environments.

Answer:

Starting in DirectControl 5.3.1 we introduced a new command called "adobjectrefresh" to update the cache for a specific user or group object instead of the entire zone.

Due to all the latencies (AD replication, adclient cache update) after the user or group was added to request privilege (login or dzdo) or role assignments and due to the unpredictability of when this takes effect on the target machine, we need a new CLI to flush and refresh specific user/group immediately.

This new command provides a CLI to ask adclient to flush and refresh a specific user/group object immediately. The new CLI should be able to refresh user/group based on unixname/samAccountName/DN/UPN.

Currently adflush -O <GUID> can flush a specific GUID, but it's not exposed to customer, and is not convenient.

Things we need to know before using this command:a. adclient should be in connected mode when running this CLI, so object can be refreshed.b. A -f option can force flush the object in disconnected mode, though object will not be refreshed.c. If Adclient is down, CLI cannot continue.d. This CLI works for all zone type

Syntax for adobjectrefresh command:

adobjectrefresh [-f] -u username [-u username, … …]

adobjectrefresh [-f] -g groupname [-g groupname, … …]

-f, --force force flush the object even if adclient is in disconnected mode

-u, --user refresh user

-g, --group refresh group

adobjectrefresh also support multiple groups and can be specified with the following format:

To refresh a group without refreshing the group's members on a connected computer:

adobjectrefresh -gi groupname

Feedback:
Use this form to send us your feedback or report problems you experienced with this knowledge article. Please note that we may not respond to general questions and/or information requests submitted through this form. This form will not help you receive technical support.